SAP applications

This topic describes the SAP applications plugin.

Support

Target devices

The CPM supports remote account management for SAP application server accounts on the following target device:

  • SAP NetWeaver 7.5

Accounts

The CPM supports account management for the following accounts:

  • ABAP users (built-in):

    • SAP*

    • DDIC

    • EARLYWATCH

  • Java users (built-in):

    • j2ee_admin

  • SAP Dialog Users

  • Communication Data

  • Service

  • System

Platforms

In the Privilege Cloud Portal Platform Management page, make sure that the following target account platform is displayed:

  • SAP

Connection Methods

This plug-in supports the following connection methods to the remote machine:

  • RFC

  • SNC

Actions

The following table lists the supported password/SSH key management actions for this platform:

Action

Supported

Permissions

Verify

Yes

Read only

Change

Yes

 

Reconcile

Yes

Administrator

See SAP machine prerequisites for more information.

Reconcile/Logon Account

Action

Supported

Required

Platform

Permissions

Logon and change

Yes

Yes

SAP

Administrator

See SAP machine prerequisites for more information.

Reconcile

Yes

Yes

SAP

Administrator

See SAP machine prerequisites for more information.

Connection Components

The SAP GUI PSM connector is used with accounts managed by this plugin.

Configuration

Prerequisites on the CPM machine

  1. Download either vcredist_x86.exe (for 32bit) or vcredist_x64.exe (for 64bit) from the Microsoft website.

    Use the following link: https://www.microsoft.com/en-us/download/details.aspx?id=40784

  2. Run the executable to install the package on the CPM machine.

  1. Download vcredist_x86.exe from the Microsoft website.

    Use the following link: https://www.microsoft.com/en-us/download/details.aspx?id=5582

  2. Run the executable to install the package on the CPM machine.

  1. Get the following packages for SAP:

    • nwrfc750P_12-70002753.zip

    • SAPCAR (sapcar.exe)

  2. Extract the SAR file:

    • sapcar.exe -xvf NWRFC_2-20002217.SAR

  3. Make sure that the nwrfcsdk/lib directory was created on your local drive. This directory contains the RFC DLLs that are required for the SAP plug-in operation. The following table lists all the NWRFCSDK DLL Dependencies:

    DLL Name DLL File Version
    sapnwrfc.dll 7530.1115.33.17733
    icudt50.dll 50.1.0.1
    icuin50.dll 50.1.0.1
    icuuc50.dll 50.1.0.1
    libsapucum.dll 7530.1115.33.17733

  4. Copy the above DLL files to the CPM/bin folder. All these DLL dependencies are required for the SAP plug-in to work successfully.

    5.  

    SAP SNC cannot be shared between users.

  • The plugin uses the following port range: 3300-3399.

  • The ports used depend on the system numbers of the managed accounts for communication between the SAP plugin on the CPM machine and the SAP system.

  • Make sure the relevant ports are open between the two machines.

SAP machine prerequisites

Install Sap NetWeaver 7.5. For more information, see SAP NetWeaver.

  1. Create the target user that will be managed, if it doesn’t exist already.

     

    If you receive an "Inconsistency with Address" error message when working with the user, make sure you have provided all required fields in the user definition. For example, the "Last Name" field is required.

  2. Create the logon user that will be used to log on to the SAP application server and manage the target user’s credentials.

  3. Set the logon user as a privileged user:

    1. Create a new role (use /nPFCG).

    2. In the Authorization tab, add the name of the new role to be added or changed (if it already exists).

    3. Select Expert mode for profile generation, then click +Manually on the menu.

    4. Select the following authorization objects and edit the specified fields:

      Authorization Object Field Value
      S_RFC ACTVT (Action) 16 (execute)
      RFC_NAME (RFC object to be protected)
      • ME_USER_CHANGE_PASSWORD
      • RFCPING
      • RFC_GET_FUNCTION_INTERFACE
      • SUSR_LOGIN_CHECK_RFC
      • BAPI_USER_CHANGE
      • DDIF_FIELDINFO_GET
      • SUSR_GENERATE_PASSWORD
      RFC_TYPE (Type of RFC object) FUGR (Function group)

      S_USER_GRP

       

      ACTVT

      05

      CLASS

      *

    5. Update the logon user:

      • Link the role to the administrator user:

        1. Select the user, and then click Change.

        2. In the Role tab, add the new role.

      • Add the S_A.SYSTEM profile to the administrator user:

        1. Select the user, and then click Change.

        2. In the Profile tab, add the S_A.SYSTEM profile.

       

      Users in group SUPER can only be maintained by administrators that have the S_A.SYSTEM or SAP_ALL predefined profiles. However, it is not recommended to give this user the SAP_ALL profile due to security considerations.

Platform parameters

Parameter

Description
UserType

The type of user to manage.

Valid values: Dialog, Communication Data, Service, System

Default value: Dialog
PartnerName

The SAP server identifier.

This is a SAP concept. This string should be provided by the SAP Application while configuring SNC authentication.
SNCLibrary

The SNC package dll.

If the SNC library is in the CPM bin folder, specify the dll name, for example, snclibrary.dll.If it is in another folder, specify the full path including the file name, for example c:\SNC folder\snclibrary.dll.
UseSNC

Indicates whether to use SNC when connecting to the target device.

Valid values: Yes/No

Default value: No
SAPConnectionType

How a connection to a target SAP server is established.

This parameter is relevant only for Reconcile and Logon accounts.

Valid values:

  • Direct - Direct connection to a SAP target server

  • Router - Connection to a proxy machine with a router component installed that redirects traffic to a target SAP server

  • Message Server - Connection to a Message server proxy machine that redirects traffic to a target SAP server

    When using the Message Server value, the Message server address should be specified as the Address parameter, instead of a target SAP server address.

  • Message Server through Router - Connection to a proxy machine with a router component installed that redirects traffic to a Message server proxy machine, which then redirects traffic to a target SAP server

    When using the Message Server through Router value, the Message server address should be specified as the Address parameter, instead of a target SAP server address.

Default value: Direct
SAPRouterString

The connection string that defines how to connect to a SAP Router proxy machine.

This parameter is relevant only for Reconcile and Logon accounts.

Use this parameter when the value of the SAPConnectionType parameter is either Router or Message Server through Router. If the parameter value is empty when using one of these values, you will receive an error.

The parameter value must be formatted according to the standard SAP Router template. The basic template is:

/H/<Address>/S/<Port>

<Address> = the address of a proxy machine, for example, the proxy machine's IP address

<Port> = the port number on which the SAP Router service is running

Example of the parameter value:

/H/10.20.30.40/S/3299

Default value: None
SAPMessageServerService

The Message server service port number or service name that runs on a SAP Message server machine.

This parameter is relevant only for Reconcile and Logon accounts.

Use this parameter when the value of the SAPConnectionType parameter is either Message Server or Message Server through Router.

Specify this parameter only if the message server does not listen on the standard service sapms<SysID>, or if this service is not defined in the services file and you need to specify the network port directly.

Default value: None ([SAPMessageServerService] is a placeholder value)

Account parameters

Required

Parameter

Description
Username

The name of the user on the remote machine who the password belongs to.

Valid value: Username
Address

The address of the remote machine where the password will be used.

Valid value: IP address

Optional

Parameter

Description
SAP System Number

The SAP system number.

Valid value: System number
SAP Client

The SAP client.

Valid value: Client name
UserType

The type of user to manage.

Valid values: Dialog, Communication Data, Service, System

Default value: Dialog
CPM PSE file

The SAP user identifier. This should be specified only for the Logon account.

This is a SAP concept and should be configured when creating the CPM OSE file.
PartnerName

The SAP server identifier.

This is a SAP concept. This string should be provided by the SAP Application while configuring SNC authentication.
UseSNC

Indicates whether to use SNC when connecting to the target device.

Valid values: Yes/No

Default value: The value defined for UseSNC in the platform parameter.
SAPConnectionType

How a connection to a target SAP server is established.

This parameter is relevant only for Reconcile and Logon accounts.

Valid values:

  • Direct - Direct connection to a SAP target server

  • Router - Connection to a proxy machine with a router component installed that redirects traffic to a target SAP server

  • Message Server - Connection to a Message server proxy machine that redirects traffic to a target SAP server

    When using the Message Server value, the Message server address should be specified as the Address parameter, instead of a target SAP server address.

  • Message Server through Router - Connection to a proxy machine with a router component installed that redirects traffic to a Message server proxy machine, which then redirects traffic to a target SAP server

    When using the Message Server through Router value, the Message server address should be specified as the Address parameter, instead of a target SAP server address.

Default value: Direct
SAPRouterString

The connection string that defines how to connect to a SAP Router proxy machine.

This parameter is relevant only for Reconcile and Logon accounts.

Use this parameter when the value of the SAPConnectionType parameter is either Router or Message Server through Router. If the parameter value is empty when using one of these values, you will receive an error.

The parameter value must be formatted according to the standard SAP Router template. The basic template is:

/H/<Address>/S/<Port>

<Address> = the address of a proxy machine, for example, the proxy machine's IP address

<Port> = the port number on which the SAP Router service is running

Example of the parameter value:

/H/10.20.30.40/S/3299

Default value: None
SAPMessageServerService

The Message server service port number or service name that runs on a SAP Message server machine.

This parameter is relevant only for Reconcile and Logon accounts.

Use this parameter when the value of the SAPConnectionType parameter is either Message Server or Message Server through Router.

Specify this parameter only if the message server does not listen on the standard service sapms<SysID>, or if this service is not defined in the services file and you need to specify the network port directly.

Default value: None ([SAPMessageServerService] is a placeholder value)